[libvirt] [PATCH] security: Do not restore kernel and initrd labels

Daniel P. Berrange berrange at redhat.com
Fri Jan 15 10:23:03 UTC 2016 

On Fri, Jan 15, 2016 at 11:11:18AM +0100, Jiri Denemark wrote:
> Kernel/initrd files are essentially read-only shareable images and thus
> should be handled in the same way. We already use the appropriate label
> for kernel/initrd files when starting a domain, but when a domain gets
> destroyed we would remove the labels which would make other running
> domains using the same files very unhappy.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=921135
> 
> Signed-off-by: Jiri Denemark <jdenemar at redhat.com>
> ---
>  src/security/security_dac.c     | 8 --------
>  src/security/security_selinux.c | 8 --------
>  2 files changed, 16 deletions(-)
> 
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index 80709fe..378b922 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -1128,14 +1128,6 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
>          virSecurityDACRestoreFileLabel(priv, def->os.loader->nvram) < 0)
>          rc = -1;
>  
> -    if (def->os.kernel &&
> -        virSecurityDACRestoreFileLabel(priv, def->os.kernel) < 0)
> -        rc = -1;
> -
> -    if (def->os.initrd &&
> -        virSecurityDACRestoreFileLabel(priv, def->os.initrd) < 0)
> -        rc = -1;
> -
>      if (def->os.dtb &&
>          virSecurityDACRestoreFileLabel(priv, def->os.dtb) < 0)
>          rc = -1;
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 721c451..475cdbc 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -2034,14 +2034,6 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
>          virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
>          rc = -1;
>  
> -    if (def->os.kernel &&
> -        virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel) < 0)
> -        rc = -1;
> -
> -    if (def->os.initrd &&
> -        virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd) < 0)
> -        rc = -1;
> -
>      if (def->os.dtb &&
>          virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb) < 0)
>          rc = -1;

ACK

but I'm wondering if the nvram and dtb lines before & after would
potentially suffer the same problem

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list